Growing the Internet of Things, part 5: Security

What will it take to really grow the Internet of Things (IoT)? The answer is complex and multifaceted, and we have to consider the following areas:

Cost

Ease of use

Interoperability

Future proofing

Security

In part 1 we discussed the Cost of IoT devices, and how cost is being driven down by market factors including scale and advances in technology. Part 2 addressed Ease of Use considerations designers must make to ensure usability for regular connected device consumers, while part 3 tackled more market implications on the Interoperability and reduction of wireless standards and application layer protocols. In my previous post, part 4, more design considerations were suggested for Future Proofing, including forward looking design paradigms that include the flexibility for software upgrades and not-as-yet-needed hardware components.

In my final entry, part 5 considers how Security will play a role in growing the IoT.

Security is a key topic that cuts across all the other IoT areas we have examined: Cost, East of Use, Interoperability, and Future Proofing.

How does security cut across all of these? Often implementing security in IoT devices involves tradeoffs between some of these factors, and these tradeoffs must be carefully evaluated.

Cost is a simple metric for device manufacturers, as they are rather cost-sensitive in the design phase of a project. I have had security consultants suggest the addition of tamper protection to a device such as a light bulb. For example, if someone breaks into your home, you are generally not concerned that the intruder will take apart your light bulb to see if they can hack into it, so for most consumers tamper protection is not a valuable feature in a light bulb. For a commercial building, however, this feature may be more interesting, and therefore a customer may be willing to pay for it.

Ease of Use is also often a tradeoff with security. Consumers like the simplicity of new keyless entry systems on cars. When you approach the car, it unlocks, and you simply push the start button and drive away. No need to search for keys in your purse or briefcase. However, this consumer ease of use can provide a means for someone to steal the car if they either amplify the keyfob signal when you are away from the car, or if they can hack the security codes in the keyfob itself.

Security can also impact Interoperability. If I build a door lock using the same technology and protocols as another connected device, but I require use of an application key and another device does not, we will not interoperate. Security has also been viewed as an interoperability problem because it has not been turned on in devices. A recent article on Bluetooth indicated many Bluetooth door locks had security issues because many of the devices were not turning on the underlying Bluetooth security. This is a product design choice, and not an interoperability problem.

For Future Proofing, security again is an important factor. The security of a system is only as good as the most recent vulnerability found. We expect our phones and personal computers to require updates to address new security attacks. Shouldn’t we expect the same functionality from our connected devices? However, the process of updating software can also be a way of attacking a device, and the update process must be secure.

As much as security involves tradeoffs in product design, it is reasonably well understood what is needed to address at least basic security in a connected device: lock the device so it is not accessible over debug ports, ensure software updates can be done (and done securely), limit access to authorized users or devices only, and use standard and industry-proven security protocols to minimize risks. While it is common to see articles about security issues, it is difficult to see consumers using security as a buying criterion between devices.

Security is an area where continued attacks and updates are the status quo. However, basic security of devices must be done to protect against the very simple attacks that are already occurring. Adding connectivity to a device means there are new means to attack and exploit the device. Companies have to assess the risks and take the basic steps required for security if we are going to slow the exploitation of connected devices. The steady drumbeat of articles about new IoT devices that have insufficient protections is a reflection of the industry not spending enough time on some basic protections.

Watch for a separate blog in the near future on the basics of security for these simple connected devices, and why we need to be adding this critical technology now.

Closing thoughts

The growth of the IoT is a topic that has been receiving a lot of attention lately. We have moved past the initial hype into real devices in our homes, offices, factories, and cars, and we are seeing some of the issues discussed in this series hold back growth in the IoT. Some journalists, bloggers, and other pundits use these problems to write about how badly the IoT is going. As someone who is involved in the IoT with many partners and customers, I can say from experience that the IoT is growing very rapidly as more companies adopt connectivity in more devices. The IoT is really just about connecting devices that have not previously been connected to allow us to do new and interesting things with them. When you think about the number of connected devices in your home today versus ten years ago, the shift is pretty stark. We are connecting more and more devices to allow us to monitor, control, and adapt.

However, we need to address the key issues that are slowing adoption – Cost, Ease of Use, Interoperability, Future Proofing, and Security – if we want to minimize some of the growing pains. Consumers and businesses will continue to connect more devices, but we need to make this connectivity simple, foolproof, and secure.